MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e70c965ae03c89538c94cc65ada5194c0b129a67e4c5f0eca728965ff4f831ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

IcedID

Vendor detections: 12

Intelligence 12 IOCs 1 YARA File information Comments

SHA256 hash:	e70c965ae03c89538c94cc65ada5194c0b129a67e4c5f0eca728965ff4f831ae
SHA3-384 hash:	6c94208a902b26a23b988cf20240933cc608c9087ed9a471713cf4a52f1d656cbf5b7716e181601c4dd09dca39ee937c
SHA1 hash:	4c717031f4d273a5505add19ba948740ae529450
MD5 hash:	ffb7508a9fa7ea9c3adbaa1ee14e1cab
humanhash:	carolina-vermont-tango-stream
File name:	e70c965ae03c89538c94cc65ada5194c0b129a67e4c5f0eca728965ff4f831ae
Download:	download sample
Signature	IcedID Create hunting rule
File size:	2'167'032 bytes
First seen:	2022-04-11 13:08:54 UTC
Last seen:	2022-04-13 18:35:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7c2432ec986def8c31b0b56827ea0ecb (1 x IcedID)
ssdeep	49152:lqjLzkf6RGHWPbZgZF3VwaehC6CJCRppBk0fIW9S+DCntr3TI0ffWmHtSUElQM:EjLzGHUbBUEi
TLSH	T15DA5B293F6B251E8D9F6C0398B527627BDA1B82587359BD3960086174B32FF0E93E704
Reporter	JAMESWT_WT
Tags:	BIC GROUP LIMITED exe IcedID signed

Code Signing Certificate

Organisation:	BIC GROUP LIMITED
Issuer:	Sectigo Public Code Signing CA R36
Algorithm:	sha384WithRSAEncryption
Valid from:	2022-03-04T00:00:00Z
Valid to:	2023-03-04T23:59:59Z
Serial number:	101d6a5a29d9a77807553ceac669d853
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	cd6aa9a7a4898e42b8361dc3542d0afb72e6deefc0b85ebfb55d282a2982b994
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
ertimadifa.com	https://threatfox.abuse.ch/ioc/518554/

Intelligence

File Origin

# of uploads :

# of downloads :

445

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

icedid

ID:

File name:

e70c965ae03c89538c94cc65ada5194c0b129a67e4c5f0eca728965ff4f831ae

Verdict:

Malicious activity

Analysis date:

2022-04-11 13:12:03 UTC

Tags:

trojan icedid

Link:

https://app.any.run/tasks/d1de9cd6-9980-472d-afbb-152da7d7027f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/262718/

Detection(s):

SecuriteInfo.com.ArtemisTrojan.22866.28397.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/13480/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/6254289604b81dabe280bb58/reports/893f8a3c-2e92-4163-89dc-63f29bef7436/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

IcedID

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d2943828-dd50-40fd-9774-f5be4b46acc5

Result

Threat name:

Unknown

Detection:

suspicious

Classification:

evad

Score:

22 / 100

Link:

https://www.joesandbox.com/analysis/974601

Signature

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e70c965ae03c89538c94cc65ada5194c0b129a67e4c5f0eca728965ff4f831ae/

Threat name:

Win64.Trojan.IcedID

Status:

Malicious

First seen:

2022-04-11 13:09:11 UTC

File Type:

PE+ (Exe)

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=44gjmwxahsevhdeuzrs23jizjqfrfgth4tc7b3fhfclf75hyggxa._file

Verdict:

unknown

Result

Malware family:

icedid

Score:

10/10

Tags:

family:icedid campaign:816407799 banker loader suricata trojan

Link:

https://tria.ge/reports/220411-qdr79sfcej/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

IcedID First Stage Loader

IcedID, BokBot

suricata: ET MALWARE Win32/IcedID Request Cookie

Malware Config

C2 Extraction:

ertimadifa.com

Unpacked files

SH256 hash:

e70c965ae03c89538c94cc65ada5194c0b129a67e4c5f0eca728965ff4f831ae

MD5 hash:

ffb7508a9fa7ea9c3adbaa1ee14e1cab

SHA1 hash:

4c717031f4d273a5505add19ba948740ae529450

Link:

https://www.unpac.me/results/de42823c-3fb1-430d-9788-f1d34ddc82ed/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.76

Link:

https://yomi.yoroi.company/submissions/e70c965ae03c89538c94cc65ada5194c0b129a67e4c5f0eca728965ff4f831ae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/262718/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample